[Discuss] Port Scanning

Kent Borg kentborg at borg.org
Sun Aug 4 15:38:00 EDT 2024 

On 8/4/24 11:07, Daniel M Gessel wrote:
> people will try to isolate trusted networks from the untrusted outside 
> world; 

And I assert that it is usually a bad design to pretend that "trusted 
networks" are worthy of trust. That's not paranoid enough.

> any such scheme is called a "firewall".

Because I don't think such a scheme is paranoid enough…is why I don't 
like firewalls.

Again, I have *no* objection to firewalls as an *extra* layer of 
protection, but they are seldom used that way.


Steve Litt <slitt at troubleshooters.com> wrote:

> I wouldn't be caught dead plugging a computer into the Internet without
> a firewall in between.
Which I take to mean your firewall is not merely an extra layer of 
protection, otherwise being without it would not be so terrifying.


Rich Pieri <richard.pieri at gmail.com> wrote:

> First, the original quote is, "[t]he worst enemy of security is
> complexity."
Okay.

And I am quoting Peter Gutmann, circa now. I like his version better.

> A corollary is that just because*you*  don't understand it doesn't mean
> that the people who do understand it are unable to keep it secure.
There are multiple of cybersecurity firms out there making good money 
helping companies try to figure out what they are running, because those 
companies don't know, If they are building systems that need to pay for 
an external service to tell them what they have, then I'm not the only 
one who is too stupid to understand. Or…maybe they are too complex.

Oh, and by giving the external service access to their internal systems 
they have made their total system *more* complex. They have a problem of 
too much complexity, and to make it better they make it more complex. Fun!

Do companies even know what all external commercial services they using 
and have given access to? I suppose they could ask accounting who they 
are paying that might therefore have access to their internal systems. 
(Has accounting been outsourced?)

Maybe time to start an ESIaaS (External Service Identification as a 
Service) company.


Clearly the world mostly disagrees with me, I know that. Clearly there 
are plenty of those folk here. Firewalls and "trusted networks" have 
three decades of "that's how we do things" behind them. Why would 
anything I say make any difference against such tradition? (Computer 
people think the industry is about innovation, and it is, but it is also 
deeply traditional.)

And of course all of this is theoretical, just my making noise about a 
non-problem. Our computer systems are secure. It's not like there are 
breaks happening. And certainly not bad enough that they might ever make 
the news.

No bad news is one indication of no problem.


-kb

More information about the Discuss mailing list